CCNA Security 640-554 Certification Tutorial:
IP Spoofing And RFC 3704 / 2827 Filtering
What's Being Spoofed? What's Being Filtered?
Chris Bryant, CCIE #12933
ISDN is long gone from Cisco certification exams, but there's a term from the ISDN days that you need to know for your CCNA Security exam ... "spoofing".
When two routers communicate via ISDN, one router is basically making a phone call to another. Obviously, we can't have that call in place all the time or we're going to get a really big phone bill!
Instead, we'd allow the ISDN line to show as "spoofed", so the connecting network would appear in the routing tables but the actual phone call would not be in place.
We don't have to concern ourselves with ISDN spoofing for these exams, but for these exams *and* real-world network security, we have to be familiar with IP spoofing.
Simply put, when a network intruder uses the IP address of a trusted device in order to gain access to your network, that's IP Spoofing.
IP Spoofing can be used against your network in several ways:
Injecting a stream of malicious code and/or commands into your network
To trick legitimate network hosts into sending sensitive data to the attacker
As part of a reconnaissance attack , an attack that in itself may not be damaging, but is used to gather information for future, more destructive attacks.
One simple and powerful step we can take to stop these attacks is preventing IP packets with certain IP source addresses from being admitted to our network in the first place.
Think about it - if a packet arrives on your network's outside router with a source IP address of 0.0.0.0, is it likely from a legitimate source?
So what other source IP addresses should we be concerned about?
Two RFCs define these suspect addresses. The original is RFC 2827, and the updated version is RFC 3704. The latter recommends that you prohibit packets with source IP addresses from the following ranges from entering your network -- and some of these ranges should look familiar!
10.0.0.0 /8 (RFC 1918 Class A private range)
127.0.0.0 /8 (loopback address range)
172.16.0.0 /12 (RFC 1918 Class B private range)
192.168.0.0 /16 (RFC 1918 Class C private range)
220.127.116.11 /4 (reserved for IP multicasts)
240.0.0.0 /4 (RFC 1918 Class E private range)
Blocking these address ranges for incoming traffic on your network's perimeter routers is sometimes called "2827 filtering" or "3704 filtering", referring to the original and updated RFCs that discuss this topic in a great deal of detail.
You can also use a combination of encryption techniques such as IPSec, one-time-only passwords, and access lists to defend against spoofing attacks. The combination you use really depends on your network, but in any case I would use RFC 3704 filtering.
If you place your router into "one-step lockdown", packets sourced from any of these ranges are blocked.
Of course, not all harmful packets will be source from these ranges - but blocking these ranges is an excellent step in the right direction!
CCNA Security 640-554 Videos And Tutorials
CCNA Security 640-554 Video Boot Camp Preview
Students in that course receive a 60% discount on the full course on October 29 - so it's well worth taking five minutes to sign up right now!
They'll also get the best possible price on my CCNP Security 640-554 Bulldog Boot Camp DVD!
"The Computer Certification Bulldog"
I'm Paying It Forward Bigger Than Ever.
My Famous CCNA Study Package Is Now $25.
No Gimmicks -- Just Results.
Get CCNA Security Certified Today For $20.